Well, you are attempting to block things that use port 80. On a firewall the only way I know is to block the IP of those sites. That could be difficult as there are probably many Ips for those sites. If you had the money, you could add an appliance such as IronPort which would allow you to filter based on domain.

Without bucks you'll have to manually filter the Ips. Or accept that facebook and the like is here to stay and encourage non-abusive use of same.

I am going to monitor this reply closely. I and others - (including the leaders of many repressive regimes, throughout the world ) Have been unable to effectively block any of the social networks permanently.

It appears that for their own reasons, Facebook, twitter -et all. Seem to take It as a personal challenge if they are blocked and do whatever is necessary to contravene the most elementary or complex blockage. Whether for good or evil - if you have access on the internet? a way is usually found, as you noted, to overcome blockage within a few days at most.

Hello,
How about using the NBAR functionality on the router and parsing for the
specific URL or URL's? Maybe associate this with a time-based ACL, e.g.
Facebook during lunchtime is OK? A dedicated web-filtering appliance might
be the best option but is obviously more expensive.
Also, you need to check if the NBAR feature is available in your particular
version of IOS. Hope this helps.
Best regards H.

Usually big companies have multiple datacenters and multiple servers in variety of subnets. So, it's really hard to block it by access-list. I think you'd have much better chance to block it by domain name. Do you use your own DNS server or all users go to a public DNS server? If you have your own DNS server, just add a domain records for these networks you want to block to forward to 127.0.0.1 (or to any other website, for example, to the page with a corporate policy). If you don't have DNS server, then you may put these entries into users "hosts file". Sure, smart users will figure it out, plus, you will need to somehow install it on each and every PC in your company (you may do it through a boot-up script, for example). Also you may block these sites through a local security policy, but it may be more complicated to implement.

You can't block any social network with an ACL. There is no way to do such thing. At least for the long term.

Working with ACL's you probably have a good understanding of the OSI model.
If so, you should know and understand that with that router there is no way to permanently block communications that occur at level 5, 6 or 7 of the OSI model working with ACL's.
With ACL's you are working at layer 3 or 4 so, in common terms your router can't "talk" the same language of the upper layers.
If it can't talk that language, it can't block them.

Your can consider to use a proxy. Only with a proxy (or a better router) you can talk the same language of all your web traffic.
Even so, for HTTPS traffic (as suggested ), you should only *permit* known trusted sites; everything else that uses SSL should be blocked. You should not permit traffic at your organization that you know nothing about.

You can't block any social network with an ACL. There is no way to do such thing. At least for the long term.

Working with ACL's you probably have a good understanding of the OSI model.
If so, you should know and understand that with that router there is no way to permanently block communications that occur at level 5, 6 or 7 of the OSI model working with ACL's.
With ACL's you are working at layer 3 or 4 so, in common terms your router can't "talk" the same language of the upper layers.
If it can't talk that language, it can't block them.

Your can consider to use a proxy. Only with a proxy (or a better router) you can talk the same language of all your web traffic.
Even so, for HTTPS traffic (as suggested ), you should only *permit* known trusted sites; e verything else that uses SSL should be blocked. You should not permit traffic at your organization that you know nothing about.